Posted 11/01/2001
The Battle of the Bug
Government, Industry Move to Protect Internet from Cyber Attacks, Viruses
By Gail Lawyer
The federal government and the private sector are bracing themselves for a war on another front: cyberspace.
As the cost of clean-up and lost productivity related to past computer viruses and worms continues to mount, security experts warn that cyber attacks are likely to increase dramatically as the United States and its allies fight terrorism.
"Just as the terrorist attacks of Sept. 11, 2001, defined what many thought possible, cyber attacks could escalate in response to United States and allied retaliatory measures against the terrorists responsible for the attack," says a Sept. 22 report called "Cyber Attacks During the War on Terrorism: A Predictive Analysis," produced by Dartmouth College's Institute for Security Technology Studies.
Potential attackers could be terrorists, terrorist sympathizers or those with general anti-U.S. or anti-allied sentiments, targeted nation-states, or thrill seekers who are not politically motivated but are looking for notoriety, says the report.
It adds, their methods of cyber revenge could include web defacements and semantic attacks, domain name service (DNS) attacks, distributed denial of service attacks worms, routing vulnerabilities and infrastructure attacks, or a combination of some or all of the above.
By the end of August, the cost of virus attacks in 2001 totaled nearly $10.7 billion, according to researchers at Computer Economics. In previous years, computer viruses have done quite a bit of financial damage, the group says. During 2000, virus attacks cost an estimated $17.1 billion, with the Love Bug and its 50 variants doing about $8.7 billion worth of harm. And in 1999, the estimated damage was reported to be $12.1 billion.
This year's tally could exceed those of last year by a wide margin, as U.S. Attorney General John Ashcroft estimated that Nimda, which appeared in mid-September, could cause far more damage than Code Red, which appeared in July and August and infected more than 250,000 systems in nine hours.
Code Red accounted for $2.6 billion in damage -- $1.5 billion in lost productivity and $1.1 billion in clean-up costs.
"We've seen recognition at the highest level of government that the cyber world could be used as a tool to commit terrorist attacks," says Jose Granado, a partner and national leader of network assesment group for Ernst & Young LLP. "We've also seen that the attorney general considers hacking and viruses as a terrorist attack."
E-business infrastructure companies agree and admit that much more work is necessary to ensure network security and prevent future financial losses.
"There's not going to be a way to stop [viruses]," says Michael Mychalczuk, product manager for security products at NetIQ Corp. "It's impossible to keep up with them all. It's a slippery slope until you get operating systems that are more secure."
But, in the end, who is responsible for overseeing and coordinating efforts to prevent abuses of our nation's networks? The answer is not clear.
A handful of public/private partnerships are working to increase network security through education and benchmarks. And many experts anticipate that the federal government may step up its involvement through the newly proposed Office of Homeland Security.
"We'd like to see something more come out of this that is federally mandated," says Andy Faris, president of MessageLabs, a managed service provider that specializes in Internet-level e-mail content filtering "There must be some protection at the ISP level. It makes so much sense because this is the source of the problem."
E&Y's Granado says there must be a more concerted effort to bring all security-related information together in a central repository that could be used to prevent widespread attacks.
The National Infrastructure Protection Center, (NPC) a group founded in 1998 and located in the FBI's Washington, D.C. headquarters, already is doing some of this. The NIPC -- which brings together representatives from federal, state and local governments, and the private sector -- is designed to serve as the government's lead mechanism for preventing and responding to cyber attacks on the nation's infrastructure.
Included under the NIPC are Regional Computer Intrusion Squads that investigate violations of the Computer Fraud and Abuse Act, such as intrusions on public and major computer networks, privacy violations, industrial espionage and pirated computer software, among other things.
Other industry organizations include the SANS (System Administration, Networking and Security) Institute, the Computer Security Institute, and the Center for Internet Security (CIS)
SANS is a cooperative education and research organization that has provided training and security awareness since 1989. The Computer Security Institute, which was established in 1974, also provides training and seminars on security-related issues.
The CIS, through industry consensus, develops benchmarks and tools to help companies identify where their security may be lacking and what must be done to reach an acceptable level of protection. The CIS's first benchmark, for the Sun Solaris operating system, was released in July and has been downloaded 5,000 times already, says Clint Kreitner, CIS's president and CEO. Benchmarks for other OS will be available in the near future.
Cyber attacks have been exacerbated by the fact that corporate America is rather sensitive about revealing that it has been hacked. Yet, by sharing information, a company that may be a victim could help educate other firms to potential holes in their networks or common security lapses that could be easily fixed.
"What makes this so difficult is that companies did their best to keep security issues a secret," says Mychalczuk. "The problem has always been getting company A and company B to talk to each other" about their security lapses.
Security experts say they hope that greater awareness and public/private partnerships' educational efforts will help businesses step up their network security activities. But many worry that the biggest hole is in the consumer space.
"Consumers are the weak spot," says Ben Trowbridge, chairman and CEO of United Messaging Inc. "With broadband connections, [hackers] can use PCs to hack all the corporate networks."
While there is more consumer awareness that firewalls and virus scanning programs are needed for the home PC, many still believe that ISPs should be more proactive in protecting their customers.
"It's high time that ISPs take this much more seriously than they have," says Faris. "We really need to raise the bar on our level of protection. For consumers, it's about whether the ISP is covering all its customer bases."
Faris notes that one in 300 e-mails now has some type of virus. That is up from one in 1,800 e-mails in January 2000.
But ISPs have a challenge of time and resources, says E&Y's Granado. "I would only assume that ISPs are going to step up the level of awareness and participation in this, and take a closer look at the activity of their users, protecting privacy, but following up on things that aren't the norm."
